Network Security for CIOs: A Marathon or a Sprint?

The crack of the starting gun has very different meanings for runners, depending on the distance of their race. To marathoners, it means to start conserving their energy as they take the first step in their 26.2-mile journey. To sprinters, the starting gun is a signal to channel all of their physical and mental ability toward completing one goal that is only seconds and a handful of meters away. Perhaps that’s why we always hear “it’s a marathon, not a sprint” – most goals are far away, and they require focus to be met. But maybe this is unfair to sprinters. After all, if the average person were asked to name a runner, he or she would be more likely to say Usain Bolt – the fastest man in the world and, by the way, a short-distance runner – than the most recent winners of the Boston Marathon. The world of IT is going through the same transition, away from the traditional support of “marathoning” to meet goals. Technology has evolved to the point where it’s often pure speed – not slow-moving, deliberate execution – that IT departments need to thrive. David Wright, CIO of McGraw-Hill Education, has seen the transition first-hand. He said that the “innovation tempo” has increased for his company as the market has changed. Although Wright’s comments are generally about IT as it relates to product development and other customer-facing activities, the takeaways extend into other realms of IT, including network security. Learning to Jump Hurdles For CIOs, network security isn’t so much about the speed vs. distance analogy. A CIO really needs the best...

The Next ‘Black Swan’ Event: A Cyberattack?

Sprinkled throughout the course of history are flashpoints that were as unexpected as they were far-reaching. Catastrophic events like the September 11 attacks come immediately to mind, but so too does the birth of the Internet and the rise of Google. These unprecedented, unpredictable events were given a name in 2007 by author Nassim Nicholas Taleb – black swans. In his book, “The Black Swan: The Impact of the Highly Improbable,” Taleb explains how, in the aftermath of these events, we try to find bread crumbs that could have possibly predicted the event. It’s human nature. That’s why people are always so eager to determine what the next black swan will be, so that they can help spare the world some surprise when one does finally strike. The latest prediction comes from Chairman Greg Medcraft of the International Organization of Securities Commissions (IOSCO), who said: “The next black swan event will come from cyberspace. It is important that we pay attention.” Threats of a Different Color At first, it would seem as though Medcraft’s prediction isn’t all that surprising. How could it be, six months after President Obama announced new cybersecurity initiatives and, in the process, called network security threats “one of the most serious economic and national security challenges we face as a nation”? If the leader of the free world has identified something as a serious threat, then it probably doesn’t check the box for “unexpected” in the “black swan criteria” list. Of course, that doesn’t make the threat of network security attacks any less dire. A black swan event could theoretically claim more victims than the...

‘BadUSB’ Malware Leaves Terrible Taste at Black Hat 2014

If awards were given out at Black Hat 2014, one nominee for “Exploit of the Conference” would have won in a runaway – the “BadUSB” exploit. Researchers Karsten Nohl and Jakob Lell caused quite a stir in Las Vegas earlier this month, which quickly spread to the rest of the world of cybersecurity, when they showed how USB drives could be reprogrammed and transformed into portable malware carriers. Nohl and Lell explained that since USB drives are designed to be reprogrammable, a hacker could make a drive masquerade as another device. In one example an attacker could reprogram a USB device to assume the function of a keyboard, and then issue commands to the computer or install malware. And possibly the worst part of the vulnerability is that a user has no visibility into the software running a USB drive, so there’s no way to find out if their drive has been affected. In the wrong hands, a BadUSB drive really is “scarily insecure,” as Nohl put it. USB Drives are Repeat Cybersecurity Offenders Long before Black Hat 2014, it’s been widely known that USB drives are not the most secure way to transfer data between devices. Convenient, yes. Secure, no. Not only are USB drives easy to lose, but any device with a USB interface could potentially be affected by malware originating from a USB drive, including laptops and phones. As far back as July 2011, the Ponemon Institute found that 70 percent of businesses could trace data breaches back to USB drives. Even the NSA found USB drives to be useful for espionage purposes. In December 2013,...

Poor Communication Leads to Defeat on the Network Security Battlefield

In September 1862, the 27th Indiana Infantry Regiment, situated near Frederick, Maryland, made a discovery that could have altered the Civil War. It all began without much fanfare. Two soldiers found three cigars, held together with an unassuming piece of paper. There was nothing extraordinary about it, until the soldiers realized the document was actually a Confederate battle plan. The soldiers then acted quickly, passing the battle plan up the chain of command, all the way to Union leader General George B. McClellan, who, historians note, could have used that information to “destroy the opposing army one piece at a time.” Yet, McClellan took 18 hours to act, and by the time he started moving against the Confederate forces, General Robert E. Lee had enough time to mobilize his forces and hold off the assault. The Power of Information During wartime, information can create just as much of an advantage for one side as the size of an army or the weapons they hold. That is, as long as this information is accurate, passed along to the right people and then acted upon quickly. In McClellan’s case, everything fell into place, except for the “acted upon” step. The situation is similar for IT security professionals today, in their own war against threats to cybersecurity. They constantly gather intelligence about threats to sensitive corporate information and they understand how remote access vulnerabilities could be exploited by attackers. Where they fall short – or rather, where their “commanding officers” (executive teams) fall short – is with how that information is passed along and acted upon. Nearly one-third of IT security teams...

Government Network Security Failures Led to Remote Access Breaches

As technology advances, the number of cyber-attacks on both public and private networks also increases. According to the Washington Post, in 2013 alone, more than 3,000 enterprises were notified of system hacks that had the potential to expose sensitive information and powerfully damage their brands. Former NSA director Keith Alexander pointed out earlier this week that government networks are far from secure, as the NSA and the Department of Defense uncovered more than 1,500 pieces of malware on the U.S. government’s most secret networks. “What causes me the greatest concern is what might happen if our nation was hit by a destructive cyber-attack,” Alexander said, noting that most of the country’s critical networks are operated by private industry. “If [a destructive attack] hit one of our Wall Street banks, the monetary damage could be in the trillions of dollars. We’re not ready.” That is certainly a chilling thought, but are government agencies doing enough to secure remote access to their networks and the networks themselves? All signs point to no due to the increasing number of breaches agencies have been reporting recently, such as the public utility industrial control system (ICS) compromise reported by the Department of Homeland Security this month. Needless to say, urgent action needs to be taken to defend against such attacks. In fact, Alexander’s comments could not have come at a better time, as the Montana Department of Public Health and Human Services was recently hacked and 1.3 million patients had to be notified that their sensitive information was potentially compromised. While there was no proof that the data was used for nefarious purposes, the...